Skip to main content

Pentest

This section documents the steps taken to give pentesters access to the staging

Steps Taken

1. Created Kali Linux EC2 Instance (Sandbox AWS Account)

  • Created an ec2 instance called pentest-kali-staging with
    • AMI: debian-kali-last-snapshot...
    • Instance type: t3.medium
    • Keypair: None
    • VPC: main
    • Subnet: main-private-c
    • Security group: no ingress
    • Storage: 50gb gp3
    • IAM role: ec2-ssm-role (single managed policy attached AmazonSSMManagedInstanceCore)
    • User data:
#!/bin/bash

apt-get update -y
apt-get install -y curl

# Download SSM agent from AWS
curl -o /tmp/amazon-ssm-agent.deb https://s3.eu-west-2.amazonaws.com/amazon-ssm-eu-west-2/latest/debian_amd64/amazon-ssm-agent.deb

# Install it
dpkg -i /tmp/amazon-ssm-agent.deb || apt-get install -f -y

# Enable + start service
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent

2. Created Identity Center User (IAM AWS Account)

  • Created a new user with pentester’s email, enforced MFA in IAM Identity Center
  • Skipped group assignment (use direct permissions instead)
  • Enabled email invitation flow (password/MFA set by the user)

3. Created SecurityAudit Permission Set (IAM AWS Account)

  • Created a new permission set Pentest-SecurityAudit
  • Attached single AWS managed policy SecurityAudit
  • Set session duration to 4 hours

3. Created SSM Access Permission Set (IAM AWS Account)

  • Created a new permission set Pentest-SSM-Access
    • Set session duration to 4 hours
  • Attached inline policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StartSessionToKaliOnly",
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:eu-west-2:609902089584:instance/<INSTANCE ID FOR KALI LINUX INSTANCE PROVISIONED ABOVE>",
                "arn:aws:ssm:eu-west-2::document/AWS-StartSSHSession",
                "arn:aws:ssm:eu-west-2:609902089584:document/SSM-SessionManagerRunShell"
            ]
        },
        {
            "Sid": "ManageOwnSessions",
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": "arn:aws:ssm:eu-west-2:609902089584:session/${aws:userid}-*"
        },
        {
            "Sid": "DescribeForConsoleAndCli",
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceInformation",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        }
    ]
}

4. Assigned SecurityAudit Access

  • Assigned pentester user directly to the IAM, Management, Sandbox and Tools AWS accounts
  • Applied the newly created permission set Pentest-SecurityAudit
  • Double checked no access granted to other accounts (prod, etc)

5. Assigned SSM Access

  • Assigned Pentest-SSM-Access permission set to the pentester user in the sandbox AWS account only

6. Validated Access

  • Ran through the above with a test user
  • Confirmed staging kali instance is accessible via SSM
  • Confirmed SecurityAudit access to IAM, Management, Sandbox and Tools accounts